What is Privilege Escalation?

No matter how hard security experts try to keep hackers out of protected networks, they always seem to find a way in. One of the tactics that hackers use to gain unauthorized access to a network is known as privilege escalation. Successful privilege escalation attacks grant hackers privileges that normal users don't have. There are two common types of privilege escalation — horizontal and vertical.

Horizontal and vertical escalation both rely on a central aspect of computer programming known as "privileges." Privileges are a security feature of most programs and operating systems; they limit the access that different kinds of users have to files and codes. The more privileges a user has, the more he or she can modify or interact with a system or application.

To prevent unauthorized users from gaining access to advanced operations — such as changing code, deleting files or viewing sensitive data — developers typically employ the principle of least privilege. In other words, every program and user is granted the least amount of privilege necessary to complete a job within the program. When a hacker wants greater privileges than the typical user, he or she has to find a way around this security feature, which can result in a privilege escalation attack.

In a vertical privilege escalation attack, the attacker moves up the privilege ladder, so to speak, by granting himself privileges usually reserved for higher-access users. In most privilege escalation attacks, the hacker first logs in with a low-end user account. Then he can search for exploitable flaws in the system that can be used to elevate his privileges. If the hacker successfully exploits such flaws, he may be able to authorize network activity, create new system users, access files or change the system settings. Such an attack can result in the theft of sensitive data or the hijacking of an entire network.

Other common examples of vertical privilege escalation attacks are lock screen bypasses on many of today's popular smartphones. Android and iOS have both been affected by such vulnerabilities, which allow an unauthorized user to gain access to someone else's contacts and apps just by performing a simple hack. Jailbreaking — or bypassing the manufacturer's programming restrictions to take full control of a smartphone or other device — is also an example of vertical privilege escalation.

Vertical privilege escalation attacks are difficult, but not impossible, to prevent. The easiest way to keep such attacks at bay is to keep antivirus software up to date and install new patches and software fixes as soon as they become available. The more secure your system, the less likely a hacker is to find an exploitable hole. Employing data execution prevention (DEP) is another way to avoid these kinds of attacks. Most popular operating systems have DEP built in for just this reason. And some networks use operating systems with Mandatory Access Controls to further prevent vertical privilege exploits. [See also: 7 Computer-Security Fixes to Make Right Now]

In horizontal privilege escalation, the attacker is a normal, low-end user who accesses the information of other normal users. In other words, the attacker doesn't gain any advanced privileges; he simply assumes someone else's identity to gain access he would not otherwise have. For example, if a hacker logs into her own online bank account and then, by some flaw in the banking application, is able to also gain access to another user's account, she has just pulled off a horizontal privilege escalation attack.

When a username or password is stolen and then used to gain unauthorized access to an account or network, this is also an example of horizontal privilege escalation. Malware that employs keystroke logging or tracking cookies can be used to steal passwords and facilitate future privilege escalation attacks.

One of the most effective ways to prevent horizontal privilege escalation attacks is to choose passwords that won't be easily guessed by hackers. Always choose unique passwords for every account you create, and be sure to follow a few basic guidelines when creating passwords to ensure security. Include at least eight characters, for example, and be sure to include upper and lower case letters as well as special characters and numbers.

Keeping antivirus software up to date can also help prevent horizontal privilege escalation attacks. Maintaining patched and updated web browsers is also particularly important in avoiding these kind of attacks.